classification
Title: remove tempfile.mktemp()
Type: security Stage: resolved
Components: IO, Library (Lib) Versions: Python 3.9, Python 3.8, Python 3.7
process
Status: closed Resolution:
Dependencies: Superseder: Remove tempfile.mktemp()
View: 36309
Assigned To: Nosy List: ZackerySpytz, serhiy.storchaka, wyz23x2
Priority: normal Keywords:

Created on 2020-02-27 02:57 by wyz23x2, last changed 2020-03-08 01:53 by wyz23x2. This issue is now closed.

Messages (13)
msg362762 - (view) Author: wyz23x2 (wyz23x2) * Date: 2020-02-27 02:57
the tempfile.mktemp() function was deprecated since version 2.3; it's long ago (nearly 17 years)! It should be removed since it causes security holes, as stated in the tempfile doc (https://docs.python.org/3/library/tempfile.html#tempfile.mktemp).
msg362763 - (view) Author: wyz23x2 (wyz23x2) * Date: 2020-02-27 03:02
A small typo in the 1st comment:
The tempfile.mktemp() function was deprecated since version 2.3; it's long ago (nearly 17 years!). It should be removed since it causes security holes, as stated in the tempfile doc (https://docs.python.org/3/library/tempfile.html#tempfile.mktemp).
msg362764 - (view) Author: Zackery Spytz (ZackerySpytz) * (Python triager) Date: 2020-02-27 04:38
I think this is a duplicate of bpo-36309.
msg362769 - (view) Author: wyz23x2 (wyz23x2) * Date: 2020-02-27 05:26
Sorry, didn't realize that.
msg362770 - (view) Author: wyz23x2 (wyz23x2) * Date: 2020-02-27 05:28
But I think the function should redirect to NamedTemporaryFile(delete=False).
msg362771 - (view) Author: wyz23x2 (wyz23x2) * Date: 2020-02-27 05:51
You could add a check that does this:
(a)
from tempfile import mktemp
with open(mktemp()) as f:
    # do something...

## No Warnings
(b)
from tempfile import mktemp
path = mktemp()
# do something...
with open(mktemp()) as f:
    # do something...

## RuntimeWarning: mktemp() is unsafe. Use NamedTemporaryFile(delete=False).
msg362773 - (view) Author: wyz23x2 (wyz23x2) * Date: 2020-02-27 05:57
(c)
from tempfile import mktemp
# do something...
path = mktemp()
# do something... (the "path" var is not used at all)

## No Warning
msg362775 - (view) Author: wyz23x2 (wyz23x2) * Date: 2020-02-27 06:04
case c is used for the case that is stated in https://mail.python.org/pipermail/python-dev/2019-March/156725.html (a
temporary name that an other program will create / act on).
msg362776 - (view) Author: wyz23x2 (wyz23x2) * Date: 2020-02-27 06:06
I know it's hard to achieve :)
msg362777 - (view) Author: wyz23x2 (wyz23x2) * Date: 2020-02-27 06:08
Sorry, in (a)(b) is should be with "open(mktemp(),'x') as f:".
msg362778 - (view) Author: wyz23x2 (wyz23x2) * Date: 2020-02-27 06:36
Reopen.
1.See https://mail.python.org/pipermail/python-dev/2019-March/156765.html and https://owasp.org/www-community/vulnerabilities/Insecure_Temporary_File. It's *serious*.
2.Why not use this to generate a
temporary name that an other program will create/act on?
import secrets
path = f"{x}{secrets.token_hex(n)}" # n is an large int
                                    # x is a path like "/tmp"
# do something...
msg362809 - (view) Author: Serhiy Storchaka (serhiy.storchaka) * (Python committer) Date: 2020-02-27 15:33
wyz23x2, why do you think that this is not a duplicate of issue36309?
msg362860 - (view) Author: wyz23x2 (wyz23x2) * Date: 2020-02-28 02:52
Well, I just think it's *serious*.
I respect your thoughts. If you want to close this, you can.
History
Date User Action Args
2020-03-08 01:53:25wyz23x2setstatus: open -> closed
2020-02-28 02:52:29wyz23x2setmessages: + msg362860
2020-02-27 15:33:45serhiy.storchakasetnosy: + serhiy.storchaka
messages: + msg362809
2020-02-27 11:27:01ZackerySpytzsetnosy: + ZackerySpytz
2020-02-27 06:41:10wyz23x2setnosy: - ZackerySpytz
2020-02-27 06:36:28wyz23x2setstatus: closed -> open
resolution: duplicate ->
messages: + msg362778
2020-02-27 06:14:00serhiy.storchakasetstatus: open -> closed
superseder: Remove tempfile.mktemp()
resolution: duplicate
stage: resolved
2020-02-27 06:08:25wyz23x2setmessages: + msg362777
2020-02-27 06:06:02wyz23x2setmessages: + msg362776
2020-02-27 06:04:41wyz23x2setmessages: + msg362775
2020-02-27 05:57:22wyz23x2setmessages: + msg362773
2020-02-27 05:51:38wyz23x2setmessages: + msg362771
2020-02-27 05:28:59wyz23x2setmessages: + msg362770
2020-02-27 05:26:22wyz23x2setmessages: + msg362769
2020-02-27 04:38:54ZackerySpytzsetnosy: + ZackerySpytz
messages: + msg362764
2020-02-27 03:03:17wyz23x2setcomponents: + Library (Lib)
2020-02-27 03:02:15wyz23x2setmessages: + msg362763
2020-02-27 02:57:01wyz23x2create